diff options
| author | Paul Eggert | 2011-07-28 18:24:19 -0700 |
|---|---|---|
| committer | Paul Eggert | 2011-07-28 18:24:19 -0700 |
| commit | 0d8f2df7c41d8904df693e4046849751adebd8ab (patch) | |
| tree | f9fc8f8113006216c1056214cfca2a5548161fa8 /src/termcap.c | |
| parent | fee31f82d5279a6faeb2d4cef808e9d7fce2f210 (diff) | |
| download | emacs-0d8f2df7c41d8904df693e4046849751adebd8ab.tar.gz emacs-0d8f2df7c41d8904df693e4046849751adebd8ab.zip | |
* termcap.c: Integer and memory overflow issues.
(tgetent): Use ptrdiff_t, not int, to record results of
subtracting pointers.
(gobble_line): Check for overflow more carefully. Don't update size
until alloc done.
Diffstat (limited to 'src/termcap.c')
| -rw-r--r-- | src/termcap.c | 18 |
1 files changed, 10 insertions, 8 deletions
diff --git a/src/termcap.c b/src/termcap.c index 96b9303d62d..791c593c06f 100644 --- a/src/termcap.c +++ b/src/termcap.c | |||
| @@ -480,7 +480,7 @@ tgetent (char *bp, const char *name) | |||
| 480 | /* If BP is malloc'd by us, make sure it is big enough. */ | 480 | /* If BP is malloc'd by us, make sure it is big enough. */ |
| 481 | if (malloc_size) | 481 | if (malloc_size) |
| 482 | { | 482 | { |
| 483 | int offset1 = bp1 - bp, offset2 = tc_search_point - bp; | 483 | ptrdiff_t offset1 = bp1 - bp, offset2 = tc_search_point - bp; |
| 484 | malloc_size = offset1 + buf.size; | 484 | malloc_size = offset1 + buf.size; |
| 485 | bp = termcap_name = (char *) xrealloc (bp, malloc_size); | 485 | bp = termcap_name = (char *) xrealloc (bp, malloc_size); |
| 486 | bp1 = termcap_name + offset1; | 486 | bp1 = termcap_name + offset1; |
| @@ -619,7 +619,6 @@ gobble_line (int fd, register struct termcap_buffer *bufp, char *append_end) | |||
| 619 | register char *end; | 619 | register char *end; |
| 620 | register int nread; | 620 | register int nread; |
| 621 | register char *buf = bufp->beg; | 621 | register char *buf = bufp->beg; |
| 622 | register char *tem; | ||
| 623 | 622 | ||
| 624 | if (!append_end) | 623 | if (!append_end) |
| 625 | append_end = bufp->ptr; | 624 | append_end = bufp->ptr; |
| @@ -636,14 +635,17 @@ gobble_line (int fd, register struct termcap_buffer *bufp, char *append_end) | |||
| 636 | { | 635 | { |
| 637 | if (bufp->full == bufp->size) | 636 | if (bufp->full == bufp->size) |
| 638 | { | 637 | { |
| 639 | if ((PTRDIFF_MAX - 1) / 2 < bufp->size) | 638 | ptrdiff_t ptr_offset = bufp->ptr - buf; |
| 639 | ptrdiff_t append_end_offset = append_end - buf; | ||
| 640 | ptrdiff_t size; | ||
| 641 | if ((min (PTRDIFF_MAX, SIZE_MAX) - 1) / 2 < bufp->size) | ||
| 640 | memory_full (SIZE_MAX); | 642 | memory_full (SIZE_MAX); |
| 641 | bufp->size *= 2; | 643 | size = 2 * bufp->size; |
| 642 | /* Add 1 to size to ensure room for terminating null. */ | 644 | /* Add 1 to size to ensure room for terminating null. */ |
| 643 | tem = (char *) xrealloc (buf, bufp->size + 1); | 645 | bufp->beg = buf = (char *) xrealloc (buf, size + 1); |
| 644 | bufp->ptr = (bufp->ptr - buf) + tem; | 646 | bufp->size = size; |
| 645 | append_end = (append_end - buf) + tem; | 647 | bufp->ptr = buf + ptr_offset; |
| 646 | bufp->beg = buf = tem; | 648 | append_end = buf + append_end_offset; |
| 647 | } | 649 | } |
| 648 | } | 650 | } |
| 649 | else | 651 | else |